Thursday, 4 August 2011

WADA and Operation "Shady Rat"

Yesterday the World Anti Doping Agency (WADA) released a press release regarding the McAfee Operation Shady Rat report. There was no obligation in the released paper for WADA to make a public announcement, but in doing so they have at least recognised the analysis performed by McAfee Labs. McAfee uniquely identified 72 organisations, which it broke down into 6 sectors and 32 categories. Of those organisations, 4 were named, of those only WADA at the time of writing (August 4th, 2011) have released a public statement. We reviewed both the statement and McAfee's white paper, performed some high level analysis and drew some rudimentary but fair conclusions.

Information disclosure

WADA having been named by McAfee have done the responsible thing, acknowledged the white paper and communicated that they're looking into it. Unfortunately, that's not all they said. Their 6 paragraph press release goes on to reveal information about:

Their current defences (they use a managed solution from ISS (IBM)).

A previous apparently unrelated security breach (in February 2008, they don't appear on McAfee's radar until August 2009).

Their response to a breach of their email system (they upgraded their firewalls).

That they escalate attacks to both national and international law enforcement agencies.

That McAfee have not provided them with any information on the attack, its extent or the systems involved.

Openly disclosing information about the defences that you have in place is poor security practice and potentially to the technically savvy reader undermines your good intentions. Although privacy of ones security operations is only a minor control, the more private you can keep your operations, the less informed an attacker will be. Although it's common to reveal information, through poor server configuration, vendor press releases etc, keeping as much information private rather than public is solid security advice.

The statement gives away far too much information; although essentially a public relations exercise by WADA it would be fair to conclude that they've been poorly advised by their representatives on what they should say. Acknowledge the white paper; say that you're taking it seriously; that you're conducting an investigation into McAfee's analysis; and welcome their involvement but not refuting their claims. To release a 'knee jerk' press release, is in this case not the best course of action and shows a lack of preparedness.

How would we have advised WADA?

We took the WADA press release and the material released by McAfee and authored the following response. This is how WE would have done it:

"Following the release of the McAfee white paper on Operation Shady Rat, WADA can confirm that we are in dialogue with McAfee and are investigating thoroughly the reported intrusions. This includes actively working with its retained security experts pending further specific information. We have already taken steps to further bolster the operational security of our systems by working with our security technology and service providers. We will continue to work with all parties concerned to ensure an appropriate and timely response until resolved in a satisfactory manner."

By issuing a press release similar to above would acknowledge the McAfee's report while outlining at a high the level steps being taken to investigate the specific claims. Additionally it demonstrates, but without giving specific details, that immediate reactionary and remedial actions have been taken and thus the seriousness with which it's being taken.

So why only four?
The white paper details intrusions of 72 organisations. Of those 72, only four were named explicitly in the paper:

McAfee does not detail why these organisations were selected to be named; and certainly from the WADA press release, the conclusion could be drawn that they didn't give their permission to be disclosed; nor were informed in advance of the disclosure. Interestingly, even though 68% of the organisations listed were in the United States, none were named. The author believes that naming the four organisations above was warranted to "reinforce the fact that virtually everyone is falling prey to these intrusions". Naming less than 6% of the total organisations represented adds little to the weight of the white paper (the remaining 68 organisations provide an equally powerful message).

The analysis presented is relatively lightweight and is presented without references, correlation with significant events along the timeline or analysis of countries notably absent from the list. The author eludes to the fact that further analysis would be interesting, but without access to the raw data we rely on McAfee potentially performing that analysis in the future.

Throwing stones in glass houses

Of course, it shouldn't go unnoticed that the author states:

"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly)"

And then goes on to say:

"In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don’t yet know."

Intel (the owner of McAfee) falls cleanly into both these categories, and it's also likely that McAfee security software is running within a significant portion of other organisations similarly categorised.

We don't dispute the quotes above, the threat posed to organisations is considerable, and credit should be given to McAfee Labs, for not sugar coating the information or the statistics presented.

Conclusions

Were WADA right to release a press statement? Yes.

How ethical were McAfee in naming some organisations and not others? Without knowing the reasons behind this it's hard to produce a definitive conclusion, however it would appear that not all organisations were treated equally.

Did WADA release too much information in their press release? Yes, without question. A more succinct response, concentrating on the McAfee release would have been a more appropriate announcement.

All of this goes to show that all organisations should be prepared for such disclosures. Having a pre-planned response in the case of such events for a variety of scenarios will ensure that messaging is clear, concise without further undermining your organisations security. As with all reactionary events it also good to run a fire drill to ensure that the organisations response processes are well known and second nature even if their need is hopefully never required.